Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

amazon.aws.iam_role: EntityAlreadyExists after 7.3.0 collection #2102

Open
1 task done
marcelmamula opened this issue May 3, 2024 · 0 comments
Open
1 task done

amazon.aws.iam_role: EntityAlreadyExists after 7.3.0 collection #2102

marcelmamula opened this issue May 3, 2024 · 0 comments
Labels
jira needs_verified Some one might want to take a look at this and reproduce it to confirm

Comments

@marcelmamula
Copy link

Summary

I have been using 7.3.0 collection for some time, but it stopped working with upgrade to 7.5.0.
amazon.aws.iam_role is no longer able to ignore already existing entries and it fails with

fatal: [ae1ascs -> localhost]: FAILED! => {
    "boto3_version": "1.34.97",
    "botocore_version": "1.34.97",
    "changed": false,
    "error": {
        "code": "EntityAlreadyExists",
        "message": "Instance Profile HA-Role-Pacemaker already exists.",
        "type": "Sender"
Traceback (most recent call last):
  File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_role.py", line 685, in main
    create_or_update_role(module, client)
  File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_role.py", line 496, in create_or_update_role
    changed |= create_instance_profiles(client, check_mode, role_name, path)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/modules/iam_role.py", line 523, in create_instance_profiles
    create_iam_instance_profile(client, role_name, path, {})
  File "/tmp/ansible_amazon.aws.iam_role_payload_olpq3tet/ansible_amazon.aws.iam_role_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/errors.py", line 46, in handler
    raise cls._CUSTOM_EXCEPTION(message=f"Failed to {description}", exception=e) from e
ansible_collections.amazon.aws.plugins.module_utils.iam.AnsibleIAMError: Failed to create instance profile: An error occurred (EntityAlreadyExists) when calling the CreateInstanceProfile operation: Instance Profile HA-Role-Pacemaker already exists.

Issue Type

Bug Report

Component Name

amazon.aws.iam_role

Ansible Version

$ ansible --version
ansible [core 2.16.6]
  config file = None
  configured module search path = ['/home/mmamula/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /home/mmamula/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.9 (main, Apr 08 2024, 06:18:15) [GCC] (/usr/bin/python3.11)
  jinja version = 3.1.3
  libyaml = True

Collection Versions

$ ansible-galaxy collection list
Collection                               Version
---------------------------------------- -------
amazon.aws                               7.5.0
ansible.netcommon                        5.3.0
ansible.posix                            1.5.4
ansible.utils                            2.12.0
ansible.windows                          2.3.0
arista.eos                               6.2.2
awx.awx                                  23.9.0
azure.azcollection                       1.19.0
check_point.mgmt                         5.2.3
chocolatey.chocolatey                    1.5.1
cisco.aci                                2.9.0
cisco.asa                                4.0.3
cisco.dnac                               6.13.3
cisco.intersight                         2.0.8
cisco.ios                                5.3.0
cisco.iosxr                              6.1.1
cisco.ise                                2.8.1
cisco.meraki                             2.18.0
cisco.mso                                2.6.0
cisco.nxos                               5.3.0
cisco.ucs                                1.10.0
cloud.common                             2.1.4
cloudscale_ch.cloud                      2.3.1
community.aws                            7.2.0
community.azure                          2.0.0
community.ciscosmb                       1.0.7
community.crypto                         2.19.0
community.digitalocean                   1.26.0
community.dns                            2.9.0
community.docker                         3.9.0
community.general                        8.6.0
community.grafana                        1.8.0
community.hashi_vault                    6.2.0
community.hrobot                         1.9.2
community.library_inventory_filtering_v1 1.0.1
community.libvirt                        1.3.0
community.mongodb                        1.7.3
community.mysql                          3.9.0
community.network                        5.0.2
community.okd                            2.3.0
community.postgresql                     3.4.0
community.proxysql                       1.5.1
community.rabbitmq                       1.3.0
community.routeros                       2.15.0
community.sap                            2.0.0
community.sap_libs                       1.4.2
community.sops                           1.6.7
community.vmware                         4.3.0
community.windows                        2.2.0
community.zabbix                         2.3.1
containers.podman                        1.13.0
cyberark.conjur                          1.2.2
cyberark.pas                             1.0.25
dellemc.enterprise_sonic                 2.4.0
dellemc.openmanage                       8.7.0
dellemc.powerflex                        2.3.0
dellemc.unity                            1.7.1
f5networks.f5_modules                    1.28.0
fortinet.fortimanager                    2.4.0
fortinet.fortios                         2.3.6
frr.frr                                  2.0.2
gluster.gluster                          1.0.2
google.cloud                             1.3.0
grafana.grafana                          2.2.5
hetzner.hcloud                           2.5.0
hpe.nimble                               1.1.4
ibm.qradar                               2.1.0
ibm.spectrum_virtualize                  2.0.0
ibm.storage_virtualize                   2.3.1
infinidat.infinibox                      1.4.5
infoblox.nios_modules                    1.6.1
inspur.ispim                             2.2.0
inspur.sm                                2.3.0
junipernetworks.junos                    5.3.1
kubernetes.core                          2.4.2
lowlydba.sqlserver                       2.3.2
microsoft.ad                             1.5.0
netapp.aws                               21.7.1
netapp.azure                             21.10.1
netapp.cloudmanager                      21.22.1
netapp.elementsw                         21.7.0
netapp.ontap                             22.11.0
netapp.storagegrid                       21.12.0
netapp.um_info                           21.8.1
netapp_eseries.santricity                1.4.0
netbox.netbox                            3.17.0
ngine_io.cloudstack                      2.3.0
ngine_io.exoscale                        1.1.0
openstack.cloud                          2.2.0
openvswitch.openvswitch                  2.1.1
ovirt.ovirt                              3.2.0
purestorage.flasharray                   1.27.0
purestorage.flashblade                   1.17.0
purestorage.fusion                       1.6.1
sensu.sensu_go                           1.14.0
splunk.es                                2.1.2
t_systems_mms.icinga_director            2.0.1
telekom_mms.icinga_director              1.35.0
theforeman.foreman                       3.15.0
vmware.vmware_rest                       2.3.1
vultr.cloud                              1.12.1
vyos.vyos                                4.1.0
wti.remote                               1.0.5

AWS SDK versions

$ pip show boto boto3 botocore
Name: boto
Version: 2.49.0
Summary: Amazon Web Services Library
Home-page: https://github.com/boto/boto/
Author: Mitch Garnaat
Author-email: mitch@garnaat.com
License: MIT
Location: /home/mmamula/.local/lib/python3.11/site-packages
Requires:
Required-by:
---
Name: boto3
Version: 1.34.97
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /home/mmamula/.local/lib/python3.11/site-packages
Requires: botocore, jmespath, s3transfer
Required-by:
---
Name: botocore
Version: 1.34.97
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email:
License: Apache License 2.0
Location: /home/mmamula/.local/lib/python3.11/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = None
PAGER(env: PAGER) = less

OS / Environment

SLES for SAP 15 SP3
SLES for SAP 15 SP5
openSUSE Tumbleweed

Steps to Reproduce

- name: AWS IAM Role - HA-Role-Pacemaker
  register: __sap_vm_provision_task_aws_iam_role_ha_pacemaker
  no_log: "{{ __sap_vm_provision_no_log }}"
  amazon.aws.iam_role:
    name: "HA-Role-Pacemaker"
    assume_role_policy_document: |
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": "sts:AssumeRole",
                  "Sid": "",
                  "Principal": {
                      "Service": "ec2.amazonaws.com"
                  }
              }
          ]
      }
    access_key: "{{ sap_vm_provision_aws_access_key }}"
    secret_key: "{{ sap_vm_provision_aws_secret_access_key }}"

https://github.com/sap-linuxlab/community.sap_infrastructure/blob/0e67afc14738c8731192ef9f5040496c4a96e9b1/roles/sap_vm_provision/tasks/platform_ansible/aws_ec2_vs/execute_setup_ha.yml#L257

Expected Results

IAM role HA-Role-Pacemaker is created.

Actual Results

fatal: [ae1ascs -> localhost]: FAILED! => {
    "boto3_version": "1.34.97",
    "botocore_version": "1.34.97",
    "changed": false,
    "error": {
        "code": "EntityAlreadyExists",
        "message": "Instance Profile HA-Role-Pacemaker already exists.",
        "type": "Sender"
    },
    "invocation": {
        "module_args": {
            "access_key": "XXX",
            "assume_role_policy_document": "{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": \"sts:AssumeRole\",\n            \"Sid\": \"\",\n            \"Principal\": {\n                \"Service\": \"ec2.amazonaws.com\"\n            }\n        }\n    ]\n}",
            "aws_ca_bundle": null,
            "aws_config": null,
            "boundary": null,
            "create_instance_profile": true,
            "debug_botocore_endpoint_logs": false,
            "delete_instance_profile": false,
            "description": null,
            "endpoint_url": null,
            "managed_policies": null,
            "max_session_duration": null,
            "name": "HA-Role-Pacemaker",
            "path": null,
            "profile": null,
            "purge_policies": true,
            "purge_tags": true,
            "region": "eu-central-1",
            "secret_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "session_token": null,
            "state": "present",
            "tags": null,
            "validate_certs": true,
            "wait": true,
            "wait_timeout": 120
        }
    },
    "msg": "Failed to create instance profile: An error occurred (EntityAlreadyExists) when calling the CreateInstanceProfile operation: Instance Profile HA-Role-Pacemaker already exists.",
    "response_metadata": {
        "http_headers": {
            "content-length": "301",
            "content-type": "text/xml",
            "date": "Fri, 03 May 2024 08:20:06 GMT",
            "x-amzn-requestid": "922e49ae-286c-4c03-b673-ed8a22bb13d1"
        },
        "http_status_code": 409,
        "request_id": "933e49ae-286c-4c03-b673-ed8a66bb13d1",
        "retry_attempts": 0
    }
}

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@alinabuzachis alinabuzachis transferred this issue from ansible-collections/community.aws May 17, 2024
@alinabuzachis alinabuzachis added needs_verified Some one might want to take a look at this and reproduce it to confirm jira labels May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
jira needs_verified Some one might want to take a look at this and reproduce it to confirm
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gravesm @alinabuzachis @marcelmamula